Method and apparatus for network security

ABSTRACT

The adaptive modification of the security level of a node in a network is enabled. For example, such modification may be achieved in a dynamic network i.e. networks in which nodes may be mobile and in which the network topology is not constant. The node receives beacon signals from other nodes in the network, the signals providing an indication of the alert level of the other nodes and an indication of whether the other nodes are trusted members of the network. The alert level of the node is determined based on the received signals.

This application is the US national phase of international applicationPCT/GB03/01274 filed 25 Mar. 2003 which designated the U.S. and claimsbenefit of GB 0207400.3, dated 28 Mar. 2002 and EP 02252767.5, dated 19Apr. 2002, the entire content of which is hereby incorporated byreference.

BACKGROUND

1. Technical Field

The present invention relates to data and communications networks and inparticular, but not exclusively, to the security of such networks. Theinvention is particularly applicable to the management of security indynamic networks.

2. Related Art

Current network security is based on the concept of fortification.Sensitive information/hardware is protected from the world outside thenetwork by security software called a firewall that runs on a limitednumber of computers called gateways that provide the links between thenetwork and other non-trusted networks and/or computers. Reaching withinthe protected network normally involves crossing one of these firewallswhere identity controls are conducted and only legitimate accessrequests allowed.

This strategy is effective as long as there is no breach in the firewalland control at the gates is efficient. This security technique is welladapted to network architecture where data and communications arecarried out over fixed physical wires and cables. In this kind ofenvironment, security measures can effectively be implemented at theentry points to the network that cannot be avoided.

A drawback of this policy is that anything inside the walls is assumedto have successfully passed through a filtering procedure and istherefore implicitly trusted. So as soon as a hostile entity such as ahacker or virus has found a way to avoid all checkpoints it can accessand damage anything that was supposed to be protected within thenetwork. Such malevolent entry is often gained via an unsecured orcompromised entry point commonly referred to as a back door. However,backdoors are relatively rare and/or difficult to find in well-protectedsystems. Therefore a hacker or virus needs to be relatively clever to beable to use them as a way of getting inside the secure network.

The efficiency of static firewalls is entirely dependent on 2 elements.The first is their ability to recognise intruders (which is why anyanti-virus software has to be kept up-to-date). The second is thetopological stability of the network they protect. In other words theyare implemented where they are needed i.e. at interfaces with othernetworks and computers.

Network architecture, which is assumed to be fairly stable in the longterm. In other words, the security manager knows where communicationsfrom the outside world will come from, and can use this information toprepare the network defences. As a result, computers behind the firewallcan run only normal anti-virus software and still be reasonably safe,because serious, deliberate attacks are dealt with by the gateways.

However, emerging technologies such as peer-to-peer architecture and adhoc communication networks mean that the concept of a static gateway isno longer applicable. For example, switching a mobile, wireless accesspoint on or off at any time and place, and by doing so to join/leave anetwork of freely interacting devices means that the network topology isunstable.

The security systems for dynamic networks need to be able to cope withthe threat of unknown viruses and inventive probing strategies as wellas with dynamic topology. In the absence of adaptive defence mechanisms,these networks are vulnerable to new, yet undetectable forms ofaggression, but also to attacks emanating from known malevolententities, due to unexpected exposure of unprotected devices.

In a dynamic network, a node that is at one point safely located farbehind the firewall can suddenly become directly exposed due to physicaldisplacements or topological changes. An example of the first case mightbe a person walking out of office while talking on a mobile phone, andswitching from “voice over IP” (presumably using a secure base stationprotected by the corporate firewall) to the normal cellular phonenetwork. The second situation (topological change) could involve a fixedserver that starts acting as the primary access point for externalcustomers after one of its counterpart (normally in charge of automatedonline support) has failed. In both cases, a device that was once safelybehind the firewall without any protection of its own suddenly needs toraise a firewall in order to keep safe and avoid becoming a backdoor.

SUMMARY

Exemplary embodiments of the invention provide a method of determiningan alert level of a node in a network of other nodes that may be trustednodes or non-trusted nodes, the method comprising the steps of receivingone or more beacon signals from one or more other nodes in the network,said beacon signal providing to the node and indication of the alertlevel of the other node and/or an indication of whether the other nodeis a trusted or non-trusted member of the network; and determining analert level for the node based on the alert level in the or eachreceived beacon signals and/or the indication of the trusted ornon-trusted nature of the other node.

Further exemplary embodiments of the present invention provide anapparatus or method for use in a network security system that uses localinhibitory signalling to identify possible security breaches, and doesnot require explicit notification of appearing and disappearing threats.The system is also highly scalable. These features are advantageous indynamic topology, as traditional security updates can be too frequent tobe explicitly tracked in real-time and the size and shape of a domaincan change dramatically (e.g. fusion of sub-domains). The systemcombines several desirable characteristics like simplicity, robustness,scalability and a balance of stability (locally predictable behaviour)and adaptability (spontaneous response to unpredictable changes).

The exemplary system is designed to increase the plasticity of networksecurity systems, enabling them to react to topological changes so thatdefensive measures are concentrated at the periphery. This is providedby an adaptive firewall, kept “dormant” in nodes that are located in asafe environment, but spontaneously building up to full strength as soonas the device on which it is running is no more suitably protected.

BRIEF DESCRIPTION OF THE DRAWINGS

Exemplary embodiments of the invention are described below withreference to the accompanying figures in which:

FIG. 1 is a schematic representation of a network demonstrating asecurity breach;

FIGS. 2 a-2 b is are schematic representations of nodes in a dynamicnetwork illustrating topological modifications causing firewalls to runon the wrong nodes;

FIG. 3 is a graph showing the performance of an algorithm used in anembodiment of the invention;

FIGS. 4 a-4 b are schematic representations of nodes in a networkoperating in accordance with an embodiment of the present invention;

FIG. 5 is a flow chart illustrating the operation of a node in thenetwork in accordance with an embodiment of the present invention;

FIG. 6 is a set of bar charts showing the progressive rise of the alertlevel for trusted nodes in a network in the vicinity of non-trustednodes;

FIG. 7 a is a three-dimensional bar chart illustrating the alert profilefor a 16×16 grid of trusted nodes located in the middle of a largernon-trusted network comprising 32×32 nodes; and

FIG. 7 b illustrated the spontaneous reorganisation of the grid of FIG.7 a after some nodes have been excluded from the trusted domain.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

FIG. 1 provides an Illustration of a security break in a network 101 ofcomputers 103. The type of security break is termed a “transientbackdoor”. The network 101 also includes a wireless local area networksever (WLAN) 105 arranged to provide wireless links 106 between some ofthe computers 103. The network also comprises a printer 107 and twoconnections 109 to another network 111 such as the internet.

The illustration of the security breach will be provided by consideringthe effect on the network 101 of the additional connection of a laptopcomputer 113. The laptop 113 is capable of making wireless connections115 to the internet 111 and to the WLAN 105 and also an infra-redconnection to the printer 107. Before the laptop 113 initiates theconnection 115 to the internet 111 using a modem and a mobile phone, allmachines 103, 105, 107 are safely located behind firewall software(indicated by the plain flame symbol in FIG. 1) running on the only twocomputers 103 directly linked to the Internet 111 by connections 109.

However, while the laptop 113 stays connected to the network 101, someparts of the system become vulnerable to attack. For example, the laptop113 is legitimately connected to the WLAN 105 but may be connected tothe Internet 111 via its modem and connection 115 causing a securitybreach i.e. opening a transient backdoor. The laptop 113 may alsoconnect to the printer 107 via the infrared link 117. In order tocounter this security breach firewall software would also need to berunning on at least one of the devices showing the question mark flamesymbol in FIG. 1 i.e. the WLAN 105, and the printer 107 as well as thelaptop 113 (either on the laptop 113 or on both the printer 107 and theWLAN 105)

Considering the situation illustrated in FIG. 1, this could mean thathigh profile firewall software should be running on every single elementof the network 101 that is capable of making a, connection to a devicesuch as the laptop 113. In other words, every device in the network 101needs to be running firewall software. In a large network this will inpractice be an impractical solution, especially if the network is adynamic, peer-to-peer and/or ad hoc network. In such networks there areunlikely to be convenient entry points where it is possible toconcentrate defensive efforts such as firewall software. Every mobileelement in the network will become a possible insecure access point tothe network. The problem is that in such architectures, several gaps canappear and disappear simultaneously, which can rapidly result infirewalls running where they are least needed, deep inside the core ofthe network, and not at the interface with the outside world wherehostile entities are.

FIGS. 2 a and 2 b provide an illustration of topological modificationsto a network 201 that has a dynamic architecture. The modificationscause firewall software to run on the wrong devices 203 in the network201. The impending device movements are indicated by black arrowsleading from the devices 203 in FIG. 2 a. All friendly devices areindicated by the letter “F” and are protected from hostile entities thatare indicated by the letter “H”. Firewall software is running on devices205, 207 and 209, which are those effectively in contact with thethreat. The situation after the device movements indicated in thenetwork 201 a are shown in FIG. 2 b. After the change, the firewalldefences located on devices 205 and 209 have become useless and thenetwork 201 is now open to attacks targeting devices 215 or 217. Anappropriate response is this situation would be to switch off firewallson devices 205 and 209 and transfer them to devices 215 and 217.

In embodiments of the invention, devices or nodes in the network areeach provided with firewall or other suitable security software. Thestrength of the firewall running on each node is variable and measuredby a real number (x) comprised between 0 (no security) and 1 (maximumsecurity level). Each node periodically sends beacon signals to theirimmediate neighbours, those beacon signals consisting of a recognisableID (which may be encrypted to avoid impersonation) and the currentsecurity level (firewall strength) of the sending node. The format ofthe beacon signal is described in further detail below.

Each node, on reception of its neighbours' beacon signals is arranged tocalculate a new alert level for itself on the basis of its currentstatus and the information contained in the N (or less) received beaconsignal. This calculation is carried out using the following differentialequation:

$\begin{matrix}{\frac{\mathbb{d}x}{\mathbb{d}t} = {{\frac{x\left( {1 - x} \right)}{N}\left( {N - n + {\alpha{\sum\limits_{i = 1}^{n}x_{i}}}} \right)} - {\beta\; x}}} & \lbrack 1\rbrack\end{matrix}$

In equation [1], n≦N is the number of 1^(st) neighbours for which thisnode has received a properly formatted beacon signal, i.e. is a beaconsignal including a recognisable tag identifying the sender as a trustedmember of the community. The sum then represents the security level ofthe n trusted neighbours, (1−x) standing for saturation effects. Theright-hand βx term (with 0<β<1) introduces a form of decay wherebyfirewall strength spontaneously lowers down if not compensated. Itshould be noted that since there is no independent term, x=0 is always atrivial solution of equation [1], meaning that if security isnon-existent, it requires an external intervention to raise the securitylevel above zero.

Examining limit cases provides useful information about system behaviourgenerated by equation [1]. For example, considering the situation wherenone of the N 1^(st) neighbours are trusted nodes (the device isisolated in the middle of potentially hostile peers), n is equal to zeroand the sum is null. Equation [1] then becomes:

$\begin{matrix}{\frac{\mathbb{d}x}{\mathbb{d}t} = {{{x\left( {1 - x} \right)} - {\beta\; x}} = {{x\left( {1 - \beta} \right)} - x^{2}}}} & \left\lbrack {2a} \right\rbrack\end{matrix}$and the (stable) positive solution is:x=1−β  [2b]

In other words, provided that x>0 when a node is first set up (residualsecurity), the alert level of any isolated node will progressively riseuntil it reached 1 (full security), at least if β<<1 which willtypically be the case (spontaneous extinction of the firewall should bekept relatively slow).

Another interesting case is found for a network comprising only“friendly” nodes. In this case n=N and x should be identical throughoutthe system (x_(i)=x). In this situation equation [1] becomes:

$\begin{matrix}{\frac{\mathbb{d}x}{\mathbb{d}t} = {{\frac{{x\left( {1 - x} \right)}\alpha\; N\; x}{N} - {\beta\; x}} = {{\alpha\;{x^{2}\left( {1 - x} \right)}} - {\beta\; x}}}} & \left\lbrack {3a} \right\rbrack\end{matrix}$

Eliminating the trivial solution x=0, expression [3a] becomes a simpleequation of the second degree:

$\begin{matrix}{\frac{\mathbb{d}x}{\mathbb{d}t} = {{{- \alpha}\; x^{2}} + {\alpha\; x} - \beta}} & \left\lbrack {3b} \right\rbrack\end{matrix}$admitting a stable and an unstable solution given by:

$\begin{matrix}{x = \frac{\alpha \pm \sqrt{\alpha^{2} - {4{\alpha\beta}}}}{2\alpha}} & \left\lbrack {3c} \right\rbrack\end{matrix}$

Those solutions only exist if α>4β, in which case the lower one acts asa threshold above which spontaneous decay cannot compensate for thecombined self and cross-excitation among the nodes and the entirepopulation goes to full security level (stable solution). Since in thisscenario all devices are assumed to be trustworthy, this is obviously apathological situation that should be prevented by careful selection ofthe parameter values (α and β) and of the initial firewall strength (x).

FIG. 3 is a graph showing equations 3 a and 3 b to illustrate thevariation of the excitation level (dx) as a function of firewallstrength (x) for chosen values of α and β. From FIG. 3 it can be seenthat the solution x≅0.2 is the unstable threshold while x≅0.8 is themaximum attainable security level for the values of parameters α and β.

The parameters values α and β can be selected so that α>4β—out of therange where the analytical solutions given by expression [3c] are realand comprised between 0 and 1. This arrangement prevents thepathological situation noted above and only the trivial solution x=0stands. In other words, a community of mutually trusting nodes cannot“go paranoid” and regardless of the perturbation, they will eventuallyrevert to a low security state. However, given the fact that thesubsequent ability of nodes to quickly raise a firewall again isdependent on their latent security level, it is advisable to“artificially” keep this value above a chosen threshold >0. It will beassumed that this additional constraint is in place. The alpha and betaparameters should always have values between 0 and 1. In terms of thebehaviour of the security level and in turn the associated securitysoftware such as a firewall, alpha governs the speed at which the alertlevel increases in the absence of the appropriate inhibitory signal(beacon), while beta determines how fast the node reverts to low alertwhen returning to a safe environment (1^(st) neighbours are trusted andon low alert).

FIGS. 4 a and 4 b illustrates an example of three nodes 401, 403, 405using the beacon signal system noted above. The nodes 401, 403, 405 aare connected sequentially and as long as they are all remain friendlyas indicated by the letter “F”, expression [3b] stands and there caneither be one (x=0) or three solutions (x=0 plus values given by [3c] asillustrated in FIG. 4 a. However, if one node 405 a is compromised or isreplaced by an intruder 405 b as shown in FIG. 4 b, then its beaconsignal should either disappear or not be recognised by its neighbour(s),resulting in n=1<N=2 for the middle node 403. In other words, thesecurity breach resulting from the replacement of the trusted node 405 aby a hostile entity 405 b, and its effect on the value of n as used byits first neighbour node 403 when computing its new higher securitylevel or alert status.

With reference to the example in FIGS. 4 a and 4 b, if the variables xand y represent the excitation level of the top device 401 and middledevice 403 respectively, then any solution should satisfy the followingconditions:

$\begin{matrix}{{\frac{\mathbb{d}x}{\mathbb{d}t} = {{{{x\left( {1 - x} \right)}\alpha\; y} - {\beta\; x}} = 0}}{\frac{\mathbb{d}y}{\mathbb{d}t} = {{{\frac{y\left( {1 - y} \right)}{2}\left( {1 + {\alpha\; x}} \right)} - {\beta\; y}} = 0}}} & \left\lbrack {4a} \right\rbrack\end{matrix}$Which means there is potentially a steady state obeying:

$\begin{matrix}{{y = \frac{\beta}{\alpha\left( {1 - x} \right)}}{x = \frac{\alpha + \beta - {1 \pm \sqrt{\left( {\alpha - \beta + 1} \right)^{2} - {4{\beta\left( {\alpha + 1} \right)}}}}}{2\alpha}}} & \left\lbrack {4b} \right\rbrack\end{matrix}$

For example shown on FIGS. 4 a and 4 b, if α=0.3 and β=0.1, the alertlevels would stabilise for x≅0.6 and y≅0.83, demonstrating that (forthose chosen parameter values) the device 403 in contact with the threat405 b spontaneously raises a stronger firewall than its better protectedcounterpart 401.

As noted above, each node transmits and receives beacon signal.Depending on the particular network transmission medium employed the wayin which the beacon signal information is transmitted may vary. However,in the present embodiment, the beacon signals comprise an indicationthat the signal is a beacon signal, a unique node or device identifierand indication of the security level of the transmitting node. Thebeacon signal indicator is placed in the header of the signal so thatthe data packets containing beacon signals can be distinguished fromother packets in the network. The unique node or device identifierenables both nodes receiving beacon signals and a network manager oradministrator to clearly identify each node or device. This identifiermay be effectively a registration number for the node within thenetwork. The calculation and use of the security level is described infurther detail below.

Preferably, the beacon signal is encrypted for security. The beaconsignal may be partially or completely encrypted. Where a signal ispartially encrypted, at least the node identifier and the alert levelshould be encrypted. The encryption should be carried out with a keythat is available to all trusted nodes in the network. This key enablesthe nodes to encrypt their own beacon signals for transmission and todecrypt received beacon signals. If a beacon signal is received from anon-trusted node then the decryption of the signal will not yield validinformation thus indicating the non-trusted status of its sender. Whenthe network manager or administrator chooses to denote one or more nodesor devices as non-trusted then the remaining trusted nodes are issuedwith a new encryption key. This causes the beacon signals of the newlynon-trusted nodes to be corrupted.

Similarly, to gain access to the network, a new node or device wouldhave to go through an application and verification procedure with theadministrator or manager. This process preferable sets up a relationshipbetween the administrator and a given node to enable encryptedcommunications between the two. This encryption should be carried outwith a key that is unique to the node. This enables new beacon signalencryption keys to be sent to nodes securely and selectively so thatnewly non-trusted nodes to be shut out of the trusted network.

The processing that each node carries out in order to establish itssecurity level will now be described with reference to FIG. 5. As thenode initiates its activity in the network, a timer is set to zero atstep 501 and at step 503 the node collects incoming beacon signals fromits neighbouring nodes. At step 505, the timer is incremented andprocessing moves to step 507 where a periodic check to determine whetherthe beacon signal of the node itself is due to be calculated andtransmitted and if not, processing returns to step 503. If it is time tosend a beacon signal then processing moves to step 509.

At step 509 all signals received from other nodes or devices are used todetermine how many (N) are within range and at step 511, those signalsthat are recognised as beacon are authenticated to determine the numberof trusted neighbours (n). Processing then moves to step 513 at whichthe node calculates a new alert level for itself using equation [1]above, the values for N and n calculated in steps 509 and 511 and thealert levels form the trusted beacon signals determined in step 511.Once the calculation is complete then at step 515 the node builds itsown beacon signal, encrypts it and broadcasts the finished beaconsignal. Processing then returns to step 501.

FIG. 6 is an illustration of how a loop of 32 nodes would react to themiddle 8 being non-trusted as shown by the black bars. A graphrepresentation is used to show four representations as time progresses.The graphs show alert level of the nodes on the y-axis and the relativeposition of the nodes in the ring (with nodes 32 also being located nextto node 1). As soon as nodes 12 and 21 stop receiving the appropriateinhibitory signal from their “right” and “left” neighbours respectively,the alert level of nodes 12 and 21 starts rising from the (imposed)minimum value of 0.1 (t=1). Nine time slots later (t=10) and ninenon-trusted beacon signals will have been received from (or nine trustedbeacon signals will be reported missing for) each of the non-trustednodes 13 to 20. As a result, nodes 12 and 21 are near the maximumattainable firewall strength for those parameter values (α=0.3 andβ=0.1) in this one-dimensional architecture.

Later in the process (t=100), nodes 11 and 22 also increase their alertlevel because, although they receive inhibitory signals from both theirimmediate neighbours, the beacon signals from nodes 12 and 21 includethe alert levels for those nodes. These are taken into account by nodes11 and 22 when calculating their respective alert levels in accordanceequation 1. In other words, the beacon signals from nodes 11 and 21 comewith a security warning attached. This security warning can be regardedas a second defensive layer, and also has the highly desirable effect oflowering reaction time should node 12 or 21 become non-trusted as well.In other words the next potential targets would already be above minimumalert level if the inhibitory signal from nodes 12 and 21 became missingat a later time (indicating they may have also been compromised).

The effect of the system will now be illustrated in relation to a morecomplicated architecture such as a grid-like structure, with nodesarranged in a regular square lattice where each node has 4 immediateneighbours (instead of 2 as in the example described in relation to FIG.6).

FIG. 7 a is a three dimensional graph illustrating the security level ofnodes in a network 701 in relation to their relative positions in thelattice. FIG. 7 a shows the situation once a stable alert profile hasbeen reached by a 16×16 domain of trusted nodes and located in themiddle of a larger 32×32 network of non-trusted nodes. Spontaneously,the 256 mutually trusting nodes 701 differentiate into an enclosure 703made of devices that are in contact with the outside world and are incharge of security (high alert level), and a group of 196 nodes insidethe enclose 703 running a dormant firewall. The absence of a secondarydefensive layer inside the enclosure is attributable to the fact thatparameter values are the same as for the one-dimensional example (FIG.6, α=0.3 and β=0.1) while the number of neighbours monitored by eachnode is doubled (4 instead of 2). This results in the secondarydefensive reaction being suppressed to some extent. However, evidence ofthis secondary reaction can be seen in FIG. 7 a by the slightly raisedsecurity level of the nodes 705 at the inner corners of the enclosure703. This is as a result of these nodes 705 having two immediateneighbours on high security alert at the periphery of the enclosure 703.

FIG. 7 b illustrates the spontaneous reorganisation of the enclosure 703that is the reaction to some nodes being excluded from the trusteddomain i.e. become non-trusted. In other words, the profile of thefirewall software can change dynamically to respond to alterations ofnetwork topology. In this case, a portion of the original domainrepresenting 25% of the nodes has been declared untrustworthy. Suchsituation could result, for example, from a human decision to excludethe corresponding sub-domain by distributing a new encryption key to theremaining 75%. This would result in the effective corruption of beaconsignals from the old members since they are no longer recognised and soloose their inhibitory effect.

The purpose of the system described above is to compute an alert levelthat automatically and dynamically adapts to any change in theenvironment that has security implications. Typically, the opening of asecurity breach in a mobile architecture, such as an ad-hoc orpeer-to-peer (p2p) network, can have 2 different origins:

-   -   A device in the network moves into potentially dangerous        territory where it could be exposed to attacks by malevolent        entities (e.g. outside the Firewall).    -   A non-trusted entity is breaking into a previously secure        environment (e.g. a laptop is physically brought within range of        another computer, so that a direct link can be established        without passing through a protected entry point).

A node running the system described above would increase its alert levelas a response to either of these changes, by detecting the presence ofan information flow that is not associated with a properlyformatted/encrypted beacon signal (n<N). Yet as will be understood bythose skilled in the art, defining what changes in the security policywould result from this increased alert level remains the responsibilityof the network administrator, and may vary substantially from onenetwork to another.

Nevertheless, as will be understood, the node can use its alert level xto select among several security policies as defined by the networkadministrators. Traditionally, 4 generic security stances are defined:

-   -   1. Nothing is permitted (the paranoid approach)    -   2. Everything not explicitly permitted is prohibited (the        prudent approach)    -   3. Everything not explicitly prohibited is permitted (the        permissive approach)    -   4. Everything is permitted (the promiscuous approach)

Commonly, a network administrator will define several prudent andseveral permissive policies. For example in an e-mail scenario:

-   -   Permissive 1. Everything is permitted, except executable        attachments    -   Permissive 2. Everything is permitted, except executable        attachments and use of wireless    -   Prudent 1. Everything is prohibited, except text messages over a        wired medium    -   Prudent 2. Everything is prohibited, except encrypted text        messages over a wired medium.

The transition between these policies can be governed by the alert levelof the node, which itself depends on the presence/absence of non-trustedentities, their proportion in the environment, and the parameter values(which should also be chosen by the administrator to reflect his/hersecurity concern). For example, an alert level x<0.25 could beinterpreted as Permissive 1, 0.25<x<0.5 as Permissive 2, 0.5<x<0.75 asPrudent 1 and x>0.75 as Prudent 2.

As will be understood by those skilled in the art, the system may beimplemented with nodes having differing levels of trust between eachother. In other words a node may be partially or completely trusted,with a partially trusted node only being allowed to carry out a subsetof all the operations within the network. The partially trusted nodeswill be able to maintain a connection with the network but the securitysystem will make sure that this is at a higher security level thanconnections with trusted devices that will be more permissive. This maybe implemented by including in each beacon signal, a trust level for thenode that will have been assigned by the network administrator. Thistrust level may act as a set of privileges i.e. defining the node'sallowed operations, or it may serve to step up the alert level of thetrusted nodes that the partially trusted node makes connections with.

It should also be noted that, due to the self-amplifying nature of thesystem, some of these states are likely to be unstable, which could be avery desirable feature if properly used. For example, if a non-trusteddevice is present on the network and triggers Permissive 2, x (the alertlevel) could start rising on its own and eventually reach Prudent 1unless the threat disappears. This would be equivalent to the systemautonomously, spontaneously and implicitly making a distinction betweena transient risk (non-trusted wireless-enabled laptop accidentallypasses by), temporarily requiring a slightly higher profile, and adedicated hacking attempt (the presence of an unidentified device isrecorded for several minutes), calling for more elaboratecountermeasures.

The system should be regarded as a way of never exceeding a constantlevel of acceptable risks in a changing environment, knowing that theserisks can be relatively high (like allowing 10% of unidentified deviceswithin communication range before moving to Permissive 2 for example).Indeed, it is always the case that efficiency and security have to bebalanced against each other, and the system provides a means ofmaintaining such balance in the particularly demanding circumstances ofan unpredictably dynamic threat.

Equation [5] below is an alternative to equation [1] described above.

$\begin{matrix}{\frac{\mathbb{d}x}{\mathbb{d}y} = {{\frac{x\left( {1 - x} \right)}{N^{\gamma}}\left( {N - n + {\alpha{\sum\limits_{i = 1}^{n}x_{i}}}} \right)^{\gamma}} - {\beta\; x}}} & \lbrack 5\rbrack\end{matrix}$

If the exponent gamma in equation [5] is higher than one, it will slowdown the rise in alert level, if it is lower than one (it should alwaysbe positive though), it will have the opposite effect (make it faster).This equation enables adaption to higher dimensions of connectivity inthe network. For example, if a node has ten neighbours (N=10, fivedimensions in a square lattice), it may be desirable to for the nodesalert level to rise more quickly even if you are still stronglyinhibited i.e. receiving trusted beacon signals from most surroundingnodes. For example, two non-trusted nodes could look negligible whensubmerged in the beacon signals inhibiting the nodes defences (unlikewhen there were four neighbours). However, this doesn't necessarily meanthat two compromised neighbours are less of a threat, so in order tocompensate, the administrator (or some kind of adaptive algorithm) canlower gamma so that two missing beacons out of ten are taken asseriously as two missing beacons out of four.

As will be understood by those skilled in the art, the equation [1] and[5] could be further modified to respond to specific conditions, forexample increasing non-linearity, by introducing constants or furtherexponents.

Nodes may be arranged to transmit beacon signals that omit the alertlevel from the signal specifically but instead modify the emissionfrequency of the beacon signal. In other words as the frequency ofbeacon signal emission is increased as the alert level rises. Othermeans for communicating the same data as contained in the beacon signalwill be clear to those skilled in the art.

It will be understood by those skilled in the art that the apparatusthat embodies the invention could be a general purpose device havingsoftware arranged to provide the an embodiment of the invention. Thedevice could be a single device or a group of devices and the softwarecould be a single program or a set of programs. Furthermore, any or allof the software used to implement the invention can be contained onvarious transmission and/or storage mediums such as a floppy disc,CD-ROM, or magnetic tape so that the program can be loaded onto one ormore general purpose devices or could be downloaded over a network usinga suitable transmission medium.

Unless the context clearly requires otherwise, throughout thedescription and the claims, the words “comprise”, “comprising” and thelike are to be construed in an inclusive as opposed to an exclusive orexhaustive sense; that is to say, in the sense of “including, but notlimited to”.

1. A method of determining an alert level of a node in a network ofother nodes that may be trusted nodes or non-trusted nodes, the methodcomprising: receiving one or more beacon signals from one or more othernodes in the network, said beacon signal providing to the node anindication of the alert level of the other node and/or an indication ofwhether the other node is a trusted or non-trusted member of thenetwork; and determining an alert level for the node based on the alertlevel in the or each received beacon signals and/or the indication ofthe trusted or non-trusted nature of the other node; wherein the beaconsignal from other nodes are collected over a predetermined period andthe alert level rises automatically if the proportion of the receivedbeacon signals that are non-valid exceeds a predetermined thresholdwithin the predetermined period.
 2. A method according to claim 1 inwhich the alert level is increased unless beacon signals are receivedfrom a trusted other node having a low alert level.
 3. A methodaccording to claim 1 in which the alert level is increased by thereception of beacon signals from a non-trusted other node.
 4. methodaccording to claim 1 in which the alert level rises at a rateproportional to the sum of all the alert levels of the received beaconsignals.
 5. A method according to claim 1 in which the beacon signalsare encrypted and each signal which cannot be validly decrypted istreated as being from a non-trusted other node.
 6. A method according toclaim 1 in which the node transmits a beacon signal comprising thedetermined alert level for reception by one or more other nodes in thenetwork.
 7. A method according to claim 6 in which the beacon signalalso includes an identification of the node.
 8. A method according toclaim 1 in which the alert level is used to govern the performance ofsecurity software for the node.
 9. A computer-readable storage mediumcontaining a computer program comprising processor implementableinstructions for causing one or more processors to perform the methodaccording to claim 1 when the instructions are executed by the processoror processors.
 10. Apparatus for determining an alert level of a node ina network of other nodes that may be trusted nodes or non-trusted nodes,the apparatus comprising: at least one computer disposed in acommunications network node: said computer including a computer programstorage medium from which computer program code is executed; saidcomputer including means for receiving one or more beacon signals fromone or more other nodes in the network, said beacon signal providing tothe node an indication of the alert level of the other node and/or anindication of whether the other node is a trusted or non-trusted memberof the network; and said computer including means for determining analert level for the node based on the alert level in the or eachreceived beacon signals and/or the indication of the trusted ornon-trusted nature of the other node; wherein the beacon signals arecollected from other nodes over a predetermined period and the alertlevel is arranged to rise automatically in response to the proportion ofthe received beacon signals that are non-valid exceeding a predeterminedthreshold within the predetermined period.
 11. Apparatus according toclaim l0 further including means operable to increase the alert levelunless beacon signals are received from a trusted other node having alow alert level.
 12. Apparatus according to claim 10 further includingmeans operable to increase the alert level in response to the receptionof beacon signals from a non-trusted other node.
 13. Apparatus accordingto claim 10 further including means operable to increase the alert levelat a rate proportional to the sum of all the alert levels of thereceived beacon signals.
 14. Apparatus according to claim 10 furtherincluding means operable to encrypt the beacon signals and each receivedbeacon signal which cannot be validly decrypted is treated as being froma non-trusted other node.
 15. Apparatus according to claim 10 furtherincluding means operable to transmit a beacon signal comprising thedetermined alert level for reception by one or more other nodes in thenetwork.
 16. Apparatus according to claim 15 further including meansoperable to include an identification of the node in the beacon signal.17. Apparatus according to claim 10 further including means operable togovern the performance of security software for the node using the alertlevel.
 18. A computer-readable storage medium containing a computerprogram comprising processor implementable instructions for causing oneor more processors in one or more respectively associated computers tooperate as the apparatus according to claim 10 when the instructions areexecuted by the processor or processors.